GLBA Regulations and Compliance

The Financial Modernization Act, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and strong “pretexting” provisions.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.

 

Axcension understands the importance of these regulations and clearly defines how we can help you maintain GLBA compliance through:

  • Online and downloadable HIPAA Privacy Statements

  • Secure web communication

  • Encrypted patient-physician email

Axcension can also provide you with contact forms that comply with HIPAA and GLB regulations as well as email addresses for your primary domain. Additional services can be purchased through us including:

  • VPN service

  • Secure File and Document Transfer and

  • Large File Transfer

--------------------------------------------------------------------------------------------

Gramm Leach Bliley Act Compliance

GLBA (REDI) Regulated Electronic Data Interchange

 

 

REDI REQUIREMENTS

SAFETYSEND REDI ATTRIBUTES

(1)Ensure the confidentiality, protection, integrity, and availability of electronic data (REDI), and communication information the entity creates, receives, maintains, or transmits.

Allows the Client a secure method to transfer confidential information (REDI) from sender via interim custody and delivery.  Validates transfer of custody to authenticated recipient at each interval. Provides remote storage of in secure folders in an uncorrupted form; transmission is via encrypted channel to a verified recipient.

(2) Protect against any reasonably specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's REDI;

 

 

Authentication is required to access any secured data on the system.  Each data exchange is verified by the system during a documents transfer of custody and summarily applied to an audit trail.  This dynamic authentication method is established by the creation and use of a personal password system including generation of temporary passwords to assigned known recipients.  Timed 'log out'¯ protects against unauthorized system access at defined intervals or by manual exit.  System provides automatic virus filtering and updating; Spam filtering; spyware removal on demand.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.

Requires user authentication upon each timed entrance to the secure communication system.

(4) A System Administrator to ensure compliance with this subpart by its workforce.

 

Sanction is established by the entity; compliance is under purview of entity designated 'system administrator'¯. Executed at the direction of the System Administrator by SafetySend Client Services.

(b)REDI -  Flexibility of approach.

 

(1) Entities can apply many security measures that allow the entity to reasonably and appropriately implement their standards and implementation specifications as specified in their policies and procedures.

Adaptable to evolution of GLB, HIPAA regulation without need for software upgrades to individual user terminals or computers. Adaptations are implemented throughout the system to all users. Changes or modification of regulations are implemented for all client users as they become law. Specific Corporate Security Directives may also be applied.

(2) In deciding which security measures to use, a entity should review take into account the following factors

 Specific policies and procedures are always the responsibility of the regulated entity. Safety Send provides the attributes for electronic communication and a component to overall Compliance to regulation.

(i) The size, complexity, and capabilities of the covered entity.

 

Scalable to over 10,000 users in each domain or larger size of operation when adapted without regard to the number of authorized and authenticated users. Message, document and image size are unrestricted.

(ii) The covered entity's technical infrastructure, hardware, and software security capabilities. 

Safety Send does not rely on the hardware or software of the covered entity - operates on proprietary code and secure servers established specifically for this purpose.

(iii) The costs of security measures

Clients are not charged for increased security upgrades or modifications on an individual basis.  System upgrades, security improvements and changes in functionality are implemented at the secure server application and immediately applied throughout the system

(iv) The probability and criticality of potential risks to REDI.

Reduces the risk of loss probability with identified controls of access and untraceable dissemination. Access is limited; transmissions are auditable; receipts are auditable; users are authenticated and identifiable.

 REDI - Administrative safeguards.

 

A covered entity is required to address application of Administrative Safeguards in accordance with Regulations.

 

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

 

Security procedures are designed to detect and record attempts at unauthorized access and immediately notify network administrators of excessive password violations, attempted transfer of computer viruses, containment of potentially harmful files and renders activities to a security log.  Individual tools are made available to each user for the detection and removal of viruses, spyware and other compromising software from our main menu.

(A) Risk analysis is required. Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidential and protected information held by the covered entity. 

The secure network is only available to it'™s authenticated users; provides continuous encryption of internal and external transmission of REDI; conducts daily modification of intrusion and invasion by outside parties by conducting modification of code algorithms to negate intrusion.  SafetySend also provides additional detection tools to assess potential security vulnerabilities of each individual computer

(B) Risk management is required. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Requires two levels of authentication initiate user identification; multi-challenge verification to change password. Use of proprietary code; application of processing algorithms, virus filters, and secure firewall updated no less than once per day. 

(C) Sanction policies are required. Entities must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

 

Sanction policy is established by the covered entity on the SafetySend system '“ termination or suspension is established by entity 'system administrator'¯.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert with GLB and HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges to use the SafetySend system.

(D) Information system activity reviews are required. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Provides system activity review under an 'audit trail'¯ by retained history of 'secure'¯ transmissions outside the SafetySend system as well as equal history transmissions within the SafetySend system.

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures are required by regulation.

The entity designates their 'System Administrator'¯ who becomes the assigned responsible party.  This system administrator has access to review, modify or suspend user privileges.

 

(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic confidential and protected information, as provided under paragraph in this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic confidential and protected information.

Specific access is authorized by the System Administrator.  Non Access and Sanction policy is established by the covered entity '“ termination or exclusion is established by entity 'system administrator'¯.  Authorized access requires two levels of authentication initiate client user identification; dual identity verification to change password

(ii) Implementation specifications:

 

(A) Authorization and/or supervision must be addressed. Implement procedures for the authorization and/or supervision of workforce members who work with electronic confidential and protected information or in locations where it might be accessed.

Authorization is addressed in (2) & (3)(i)(a)(4)

 

(B) Workforce clearance procedure must be addressed. Implement procedures to determine that the access of a workforce member to electronic confidential and protected information is appropriate.

System Administrator establishes clearance procedure and authorizes access to system. Individual client users self administrate.

(C) Termination procedures that can restrict or suspend and/or cancel access. Implement procedures for terminating access to electronic confidential and protected information when the employment of a workforce member ends.

 

Non Access and Sanction policy is established by the covered entity '“ termination or exclusion is established by entity 'system administrator'¯.  Authorized access to SafetySend requires two levels of authentication initiate client user identification; dual identity verification to change password. System Administrator has authority to deny access to any user.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert with HIPAA and GLB.  Violation of those policies and procedures constitutes immediate suspension of privileges to use the SafetySend system.

4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected information that are consistent with the applicable requirements of subpart E of this part

SafetySend policies & procedures consistent with subpart E.

 

(ii) Implementation specifications:

 

(A) Isolating clearinghouse functions is a regulatory requirement. If a Financial / Health Care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic confidential protected information of the clearinghouse from unauthorized access by the larger organization.

SafetySend does not operate as a clearinghouse. These policies and procedures are the specific and may be unique to the entity.

 

(B) Access authorization must be addressed. Implement policies and procedures for granting access to electronic confidential protected information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Access to all information in the SafetySend system requires two levels of authentication; proper user identification and password; dual identity verification to change password. The use of proprietary code; application of processing algorithms, virus filters, and anti hacking shields are updated no less than once per day.

(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

 

Sanction policy is established by the covered entity '“ termination or exclusion is established by entity 'system administrator'¯.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert.  Violation of those policies & procedures constitutes immediate suspension of system privileges. SafetySend requires two levels of authentication to initiate client user identification; dual identity verification to change password.

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

Users are notified on no less than on an annual basis of the security requirement of GLB and HIPAA at such times as those security requirements may be amended. Acknowledgement is required to avoid suspension of access to SafetySend.

(ii) Implementation specifications. Implement:

 

(A)  Security reminders must be addressed by periodic security updates.

Daily review and update of security components.

(B) Protection from malicious software must be addressed. Procedures for guarding against, detecting, and reporting malicious software.

Proprietary code guards against malicious software and reports intrusion attempts to the targeted user via constant monitoring and exclusion of malicious software. Virus and Spam filters are active.

(C) Log-in monitoring must be addressed. Procedures for monitoring log-in attempts and reporting discrepancies.

 

Requires two levels of authentication to initiate client user identification; dual identity verification to change password.  An 8 digit '“ alpha '“numeric password is required to enter the system. Failure to enter requires confidential answers to two levels of specific questions to acquire a temporary password, then re-establishment of an active password.

(D) Password management must be addressed. Procedures for creating, changing, and safeguarding passwords.

 

An 8 digit '“ alpha '“numeric password is required to enter the system.  SafetySend requires two levels of authentication initiate client user identification; dual identity verification to change password. The use of proprietary code; application of processing algorithms, virus filters, and anti hacking shields are updated no less than once per day. 

(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.

Authentication upon system entrance; verified change of custody by receipt by established password or temporary password to known receiver; timed 'log out'¯ of the system at 20 minutes automatically or by manual exit; automatic virus filtering and updating; spyware removal on demand. Users are notified of intrusion incident attempts. Non compliance incidents by a user are suspended until suspension is released by System Administrator.

(ii) Implementation specification: Response and Reporting is required. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Suspends and denies access by action of the System Administrator or upon notification by the System Administrator to any users suspected of a security incident. Individual client users are self administered under their own responsibility. Should SafetySend be aware of a security incident; access and use are suspended immediately or within one day of notification being the extent practicable. 

(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Contingency plan for response to emergency or occurrence for safeguarding REDI. Destruction or damage to user and/or entity computers does not destroy or deny access to PHI data on SafetySend secure servers.  SafetySend operates as 'backup'¯ servers at a second location in the even of loss or damage to primary client storage servers.

(ii) Implementation specifications:

 

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Provides storage of REDI backup files in retrievable 'Secure Folders'¯.  SafetySend is the backup in two location sites for the entity or individual client user.

(B) Disaster recovery plan is required. Establish (and implement as needed) procedures to restore any loss of REDI data.

Secure backup servers at secondary locations retrieve data in the event of a disaster. SafetySend is the backup in two location sites for the entity or individual client user.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

SafetySend is an ASP system '“ thereby allowing continuation of operations from alternate locations where Internet connections can be made.  Critical business processes can function without interruption as long as Internet access is available.

 

(D) Testing and revision procedures are required to be addressed, A regulated entity is required to Implement procedures for periodic testing and revision of contingency plans.

SafetySend contingency plans are reviewed and revised on a regular basis

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

SafetySend makes assessment of critical applications on a regular basis.

 

(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under the regulation and subsequently, in response to environmental or operational changes affecting the security of the regulated REDI of health and/or financial information that establishes the extent to which an entity's security policies and procedures meet the regulatory requirements of this subpart.

SafetySend reviews all operational changes for compliance prior to implementation and modifies to compliance in the event of compliance changes quarterly and no less than three times per year. All servers are under physical security as well as technical security provided by proprietary code.

 

(b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with the applicable HIPAA or GLB regulation. A regulated entity may permit a business associate to create, receive, maintain, or transmit regulated electronic protected information on the entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with that the business associate will appropriately safeguard the information.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures.

(2) This standard may or may not apply with respect to'” [application of a specific part and subpart is determined by the regulated entity]

 

(i) The transmission by a covered entity of regulated electronic information to a health care or financial service provider concerning the treatment of an individual.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(ii) The transmission of regulated electronic information by a regulated financial entity, association or health entity, group plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of regulation.

Compliance Guideline is available to Entities and Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(iii) The transmission of REDI from or to other agencies providing the services is a financial entity, agency or health plan that is a government program providing public benefits, if the requirements of the applicable regulation are met.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the regulatory standards, implementation specifications, and requirements of applicable regulations and subject to penalties of the enforcing agencies or departments

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

Physical safeguards. A covered entity must, in accordance with specific regulation:

 Physical safeguards are under the control of the regulated entity.

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures.

(2) Implementation specifications:

 

(i) Contingency operations are addressable with the requirement to establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. All communication is retrievable from Safety Send.

(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(iii) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by the regulated entity or client user.

(b) Workstation use. Regulated entities are required to Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user. Specific procedures are the responsibility of

 

 

About GLB

 

The Gramm-Leach-Bliley Act of 1999 (GLB Act)

This act includes provisions to protect consumers'™ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and strong 'pretexting'¯ provisions.     

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to 'financial institutions,'¯ which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional 'financial institutions'¯ are regulated by the FTC.

The Financial Privacy Rule governs the collection and disclosure of customers'™ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions '“ such as credit reporting agencies '“ that receive customer information from other financial institutions.

The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as 'pretexting.'¯

 

 
 

                         

   
     

 

 

 

 

Privacy    Disclaimer

 

COPYRIGHT 2013

AXCENSION, INC.

ALL RIGHTS RESERVED.

 

 

 

 

 

Home    About Us    Cloud Services    Technology    Clients    Technical Skills    Client List    Web Portfolio

Compare Cloud Services    Application Development    Business Technology Services    Cloud Services

Infrastructure as a Service    Mobile Applications    Platform as a Service    Data Security

Virtualization    Software as a Service    Web-Native Technology    Application Hosting

Managed Hosting    Compliance Hosting    Platform Hosting    Database Hosting    Healthcare - HIPAA

Finance - GLBA    Legal - SOX    Banking - HITECH    Data Security - PCI DSS    Contact Us